The document discusses the importance of web application security, highlighting that data breaches can be costly, averaging $5.5 million. It emphasizes the need for security testing, code reviews, and implementing a secure development lifecycle (SDL) to avoid common vulnerabilities. The text also advocates for collaboration between developers and security teams to ensure effective security practices are integrated into the development process.

1. How to protect your web
applications
Magno Logan
magno.logan@owasp.org
OWASP Paraíba Chapter Leader

2. About Me
Who am I?
!
• Ex-developer
• Security Analyst
• Chapter Leader
• Martial Arts
• Investments

3. Agenda
!
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle
• How to solve these problems

4. e
They are everywhere!

5. And they have bugs everywhere!
!
• The cost of a data breach averages $5.5
million or $194 per customer record*
!
• Companies that take security seriously can
reduce the cost per customer by up to 62%
!
!
!
!
* From a 2011 study by the Ponemon Institute

6. So, how to protect them?!
!
1. Security Testing
!
2. Code Review
!
3. SDL

7. OWASP Top 10 2010
Testing, testing, testing…

8. And more testing… 2011 CWE/SANS Top 25

9. So what do they do?
!
• Protect you from common mistakes
!
• Avoid you from getting hacked by automated
tools/scanners and script kiddies
!
By the way, if you work with AppSec and you
never heard of these two docs…

10. You need to find another job!

11. Many more FREE resources!
Not just OWASP stuff…

12. Ok, now what?!
OWASP Code Review Guide
!
• Code review takes a deeper look into your
app
!
• Things that automated scanners won’t find
!
• You’ll see the common mistakes devs make

13. We fixed the problems. How to stop them?
!
• Implement a SDL process
!
• Train your developers about app security
!
• They don’t need to be experts, at least
know how it works and how to protect
their apps

14. Yay! More free stuff…
!
• OWASP ASVS – verify your security
!
• OWASP OpenSAMM – create a security
program
!
• OWASP Developer’s Guide – tips to devs

15. It’s not that simple…
!
• If we have all that, why aren’t our apps
secure?
!
• Why even the big companies don’t follow
the basic rules? Hello Linkedin!

16. We know, we know…
!
• Security costs money. Yeah, but so does
development, support, operations, etc.
!
• Security costs money. But it will save you a lot
more!
!
Why most companies still don’t see the value of
security until they get hacked?

17. Like Dinis Cruz said at AppSec Latam 2011:
!
Unless you’ve been hacked before…
!
If it compiles,
Ship it!
!
That’s the motto in most dev companies

18. The real picture (Developer’s view)
!
• They don’t like the security teams
!
• They already work on a tight schedule
!
• Security will increase their programming
time

19. How it should be…
!
• Dev and infosec should work together
!
• Security practices and implementations should
be included in the schedule time
!
• It will increase the apps protection and
decrease the amount of bugs and work

20. In a nutshell…
!
• Security is not a plugin, it’s a process.
!
• Test everything, every time they change.
!
• Allocate time for security testing within your
project
!
• Never assume security controls are effective

21. !
!
Questions?
!
!
@magnologan
@owasppb

22. References
!
Wagner Elias. “Testar não é suficiente, tem que fazer
direito!”. YSTS 2012
!
Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011
!
Building Secure Web Applications Infographic - http://
www.veracode.com/blog/2012/06/building-secure-web-
applications-infographic/
!
OWASP - www.owasp.org